Welcome to the SecAware blog

I spy with my beady eye ...

8 Oct 2016

Marketing or social engineering?

Electronics supplier RS Online sent me an unsolicited promotional mailing in the post this week, consisting of a slimline USB stick mounted in a professionally printed cut-out card:

Well, it looks like something from RS' marketing machine.  It has their branding, images of the kinds of tools they sell and a printed URL to the RS website.  But the envelope has been modified ...

The printed sticker stamp top right has been crudely redacted with a black marker pen plus two further sticky labels, and 'postage paid' has been printed lower left, allegedly by the Hong Kong post office.  [I put the blue rectangle over my address.]

A week ago, we released a security awareness module on human factors in information security, including social engineering. Among other things, we discussed the risk of malware distributed on infectious USB sticks, and modified USB hardware that zaps the computer's USB port. The notes to a slide in the awareness seminar for management said this:
What would YOU do if you found a USB stick in your mailbox (at home or at work), or in the street, in the parking lot, in a corridor or sitting on your desk? 
In tests, roughly 50% of people plug found USB sticks into their computers.  A few of them may not care about the security risks (such as virus infections or physical damage that can be caused by rogue USB sticks), but most probably don’t even think about it – security doesn’t even occur to them. Maybe they simply don’t know that USB sticks can be dangerous.
Providing information about the dangers is straightforward: we can (and do!) tell people about this stuff through the awareness program.  But convincing them to take the risks seriously and behave more responsibly and securely is a different matter.  The awareness program needs to motivate as well as inform.  
The accompanying management briefing paper said:

It is possible that the USB stick carries malware, whether it truly originates from RS Online's marketing department in Hong Kong, or was intercepted and infected en route to me, or is a total fabrication, a fake made to look like a fancy piece of marketing collateral. I didn't request it from RS, in fact I've done no business with them for ages. The risk to loading the USB stick may be small ... but the benefit of being marketed-at is even less, negligible or even negative, so on balance it will be put through the office shredder.  It's a risk I'm happy to avoid.

Gary (Gary@isect.com)

PS  The title of this piece is ironic.  Marketing IS social engineering.

No comments:

Post a Comment